Nebraska Medicine has discovered an employee has accessed the medical records of patients without any legitimate work reason for doing so over a period of almost three months.
The privacy violation was discovered during a routine audit of its medical record system. The audit revealed the employee had first accessed patient records on July 11, 2019 and continued to do so until October 1, 2019 when the privacy violations were discovered.
Upon discovery, steps were taken to prevent further unauthorized access while the matter was investigated. The employee in question was fired the day after the privacy violations were discovered.
According to a statement released by Nebraska Medicine, affected individuals have been notified by mail and any individual whose Social Security number was potentially viewed has been offered complimentary credit monitoring services for 12 months as a precaution.
Nebraska Medicine does not have any reason to believe that any sensitive information has been or will be misused, suggesting the employee was accessing the records out of curiosity. It is unclear how many individuals have been affected at this stage.
According to the breach notification letter sent to affected patients, the types of information in the records that were accessed includes names, addresses, dates of birth, Social Security numbers, medical record numbers, driver’s license numbers, clinical information, physicians’ notes, lab test results and medical images.
Presbyterian Healthcare Services Discovers Phishing Attack Was More Extensive than Initially Thought
In August 2019, Presbyterian Healthcare Services announced that the email accounts of several employees had been compromised as a result of a phishing attack.
Presbyterian Healthcare Services learned about the breach on June 9 and the investigation indicated the affected accounts contained the protected health information of 183,370 patients. Notifications were issued, but the breach investigation has continued. Presbyterian Healthcare Services has now learned that the beach was more extensive than previously thought and the compromised accounts contained the PHI of 276,000 patients.
Further notification letters were sent to patients on November 25 in which it was stressed that no evidence was found to indicate any PHI in the accounts was accessed, downloaded or appears to have been misused in any way. It was also confirmed that only the email system was affected. The attackers did not have access to medical records or its billing system.